How to configure SSH authorized key?



  • Sorry I am a noob. How can I generate a public key? How is that different from a private key? I want to make sure it's all secure. Do I have to create a public key using PuttyGen? or similar software? What portion of the key should be inserted ? all of it?

    Thanks for the tip on root access.



  • You need to generate a key in OpenSSH format.  I'm not familiar with Putty, but it's documentation will cover that (having read it before).

    Generating a key generates 2 parts - a private part and a public part.  The private part stays on the machine running the SSH client, the public part is put onto the servers.  You must put the entire public key on the server.



  • I think puttygen is capable of generating a public key in the form needed by OpenSSH.  It may even give you the line to paste into the authorized keys when you generate or open a private key.


  • Rebel Alliance Developer Netgate

    When you generate a key in PuTTY, it should make both a private and a public key. Usually if the key is, say, mykey.ppk, the public part is mykey.pub.

    Look in the PuTTY docs (one copy is here: http://the.earth.li/~sgtatham/putty/0.60/htmldoc/Chapter8.html#pubkey-puttygen ) and it's all covered in detail.

    You can load your key in PuTTYgen and then go to Conversions > Export OpenSSH Key. Take the output from that and paste it into the pfSense router where it asks for the ssh key.



  • I just looked at the puttygen program again.  The part you want to paste into the pfSense configuration is the text in the box labeled "Public key for pasting into OpenSSH authorized_keys file:"

    If you want to use the key with PuTTY (or anything that uses PuTTY's plink.exe), click "Save private key" and use that file with PuTTY.



  • Thanks for all the tips guys. I am still failing this. Can someone post private and public keys here so I can test maybe?!

    This is what I have done.

    1- Generated randomness by moving mouse over PuttyGen window.
    2- Saved the Private and Public key with a Pass-Phrase.
    3- IMPORTANT: Mode was set to SSH-2 - Hopefully this is not where I am doing things wrong.
    4- Loaded the private key back into PuttyGen and authenticated it by putting the passphrase.
    5- Click menu Conversion -> Export OpenSSH key and save the file which had no extension.
    6- Loaded all of the content of the OpenSSH key in Authorized keys page of pfsense.
    7- Set the SSH port to 2060 and  Enable Secure Shell with Disable Password login for Secure Shell (KEY only).
    8- Opened Putty and loaded private key which was generated in Step #2 into Connections > SSH > Auth and opened a session to the router 192.168.1.1
    9- Inputed root as the username and then this is what I got:

    login as: root
    Server refused our key
    Using keyboard-interactive authentication.
    Password:

    If I input the password for admin then it logs in. This is not right as first of all the SSH login by password should be disabled.

    Any suggestions please?

    Thanks a lot again.



  • No, you don't want to use the export OpenSSH key option.  That saves the private key, which is only needed by the client.  You want the public key in your pfSense configuration.  Copy the text in the "Public key for pasting into OpenSSH authorized_keys file:" box and paste it into the authorized keys in pfSense.  You will want to remove the other that you put in there, since the private key isn't valid there.



  • Okay, so I am supposed to use the OpenSSH exported key on putty. However, the key generated by OpenSSH doesn't have the prefix .ppk so, I used it without the .ppk and used it with a .ppk extension which I give and it was no work again. Error message:

    Unable to use key file "C:\Users\owner\Desktop\openssh_privatekey" (OpenSSH SSH-2 private key)

    I am getting anxious now. Here is all the files I created. Can someone please test this.

    Efonne,
    IMPORTANT: None of my files include the "Public key for pasting into OpenSSH authorized_keys file:" which you mentioned in your post. Do you use PuttyGen to generate key files?

    ANYTHING YOU SEE BELOW ENCAPSULATED IN CODE AND SHOWS AS CODE WAS EXACTLY COPIED AND PASTED AND NO HEADERS WERE REMOVED WHILE USED ON PFSENSE OR THE PUTTY CLIENT.

    PassPhrase:

    dklsfjs87234ksdfkhERewrkjewh@#$3kjsdfjusdj
    

    Private Key by PuttyGen (This was also used on PuttyClient on another attempt to see if it works and failed):

    PuTTY-User-Key-File-2: ssh-rsa
    Encryption: aes256-cbc
    Comment: rsa-key-20100730
    Public-Lines: 4
    AAAAB3NzaC1yc2EAAAABJQAAAIEAwKVyCw7h2WIiOiTh+6Msu2s15WNxQoY7hPco
    z0rZCgiAkaKYE8hMpXxJ2vc9kVSSqp6SK9NwoLTJi3/ciRbbAPcNCq+sfOPyLtkd
    kBUSx1SZR5PdYpmA+shG25ezwO3nikcglWNiiSEcw9z5QSJ7rHYLiMVVEhJ9fi2/
    1cL5QD8=
    Private-Lines: 8
    tDxVbyl3KIMuJ8Ap05W/ypJe+lWmL+nzAmAilLXq1B6FS/91jPweJbtlfkimALV/
    lTiN+nSynC+IgJpx05BjP4p4GdaxqfFjB5aTm1DPR5CSV5b75UC0j9A0ijeBYZ8D
    fN/89cGFJwbi53LSyjovd5VC09eAWqlnRKGuJ7p+dFtYbo6gQ/04BBo3vEMR3nrc
    jswq+GvUhEZRZs8qHPOg0bCMGg2ZSv2k2fSzoYeSfEOHpG0yih4jscnsTWlZwjDj
    5oTyMDzM0OPeG3tl/BoivQu9pHQegDt72aw/QLzjnVYuXT0Q2ttwAmluRbZjcdjq
    svJtwtLX74bpTAZMCb9sMUC/VEyf2uaQI9EIZKlJZphq+pR7YgGMmvDfj2vSHan/
    PT9mDe7iNt/lxILIVChcrWBO63blN5b25D5ILxdZLokQKGY5VYRajGJSuPLViL73
    ur8/Kg7PPFy/jAmmcQLxLw==
    Private-MAC: 055545f59a6889192e7309575a55388ac7b4b981
    

    Public Key by PuttyGen (Was put into pfsense System > Advanced > Auth Keys):

    ---- BEGIN SSH2 PUBLIC KEY ----
    Comment: "rsa-key-20100730"
    AAAAB3NzaC1yc2EAAAABJQAAAIEAwKVyCw7h2WIiOiTh+6Msu2s15WNxQoY7hPco
    z0rZCgiAkaKYE8hMpXxJ2vc9kVSSqp6SK9NwoLTJi3/ciRbbAPcNCq+sfOPyLtkd
    kBUSx1SZR5PdYpmA+shG25ezwO3nikcglWNiiSEcw9z5QSJ7rHYLiMVVEhJ9fi2/
    1cL5QD8=
    ---- END SSH2 PUBLIC KEY ----
    

    OpenSSH key Exported from PuttyGen (not sure if this is a private key like Efonne noted or public key as it has no extension but inside says private key) - (This was used on Putty client to connect to pfsense and failed):

    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,15731C21C3F1B673
    
    0tRZlz81Oz048sJb7LKOR18piKnT4klb2jfvgEACTHmYrm3C8VCwTDJNw/2XBrL1
    IHfG5ZhYrKLLAL/jKOoNO7oTMdTDhs/7qL+iRc3UCHCVp1WJe24HC3vUcHrrzrBf
    uS0flEAVqW86prgmmcnKx4k2QD7csRZlKQrCAYud3Fdrnx8feA80cV7zVcHFSO60
    oVA5Ch1MwE4wK6AAUkrYEbbI9HZmJIS2QXiZbXSeV5Ey+S/sJUnHrwGe5FgZFlTm
    +rpUYDpygFzFn5+KyLkKWI4PFEmM9AuuNY+2o8MnNUJ+dx8/fZHf04y//qMVA5ST
    txAbAJwXm1h8A4Kmsu3XerSONvr9wMrNrqq3Q4Q8WwVldCIDX65qG18SI4AcxXQc
    YAWAVWIyfQqc4RVbKZsQZt4RN5YzAW8Z8eEU7It1NI0EjOd6VaCRGkOiC54xvZJe
    ZFCvmMtJGPs08ZdHckQl6DxYdMpY2WQNXskQHQSgdL3bxKfFxyfF3ZlgHFLJG/ca
    DDQzwhP0G0lFNCDSj/x235s6VLRTVec3y/UP0IGpe49kqWri+gQUESqLIbXXwNyU
    JYNcG8BcIxlGlQw3jFnbN3g84dP2ETCeY6dRdIwcEteE//BGYTCLpPQob0uSgHBU
    aT0RWoX0oeP6karwagslQ4YsOu6hZPBmFUhJoQCAKN/YQlVweaWu0UU5PFumG9Qj
    uManNko52OMbZkxRVQ2ju7D0VFZWQT49ZQhjgaszb+NNUHDPsCu7fvoVrsYwJY3X
    iSGSaKWuZfEgXIqMpDmOorBN0OTHadoD2H9d2sRhdE8=
    -----END RSA PRIVATE KEY-----
    

    Thanks


  • Rebel Alliance Developer Netgate

    And now that you've completely compromised the security of that key, trash it and make a new one. :-)



  • Does that mean you tested it and it works for you :-) ???

    I hope I haven't contributed to too much of the green house effects by making the key public and useless :-) After all, it's only few billion electrons displaced.


  • Rebel Alliance Developer Netgate

    No, I didn't try it.

    There's a bit of a misunderstanding about what you need to do, perhaps.

    When you make the key, save it as blah.ppk. Don't worry about the OpenSSH export, only the "public key for pasing" box. Copy the contents of that box into pfSense's field for authorized keys.
    Make sure the key gets saved.

    Fire up pageant.
    Double click the pageant icon in the taskbar
    Click add key
    find your blah.ppk
    Load that up, enter the passphrase if you made one

    Then connect with putty.



  • They say a picture is like 1000 words. Doing what you said disregarding the OpenSSH key export, I am getting a different error. Please check below link for the snap shot of my desktop.

    https://docs.google.com/leaf?id=0B9R-hmALgNpVYzlmNzdkZmItY2IzNy00NzMyLThiZGEtNTI5MDI0NzU2OGNj&hl=en

    Error:
    No supported authentication method available

    Thanks


  • Rebel Alliance Developer Netgate

    Take off the begin, end, and comment lines. If that doesn't work, load the key back up in puttygen, and make sure you have copied the box on the main screen that says right on top of it that it's the openssh public key.

    Exporting the openssh key will export the whole key, not just the public part.



  • Perfect. Works amazingly now. Apparently the Public key saved is much different from what is in puttygen window (probably extraneous header and footer stuff).

    All right,so to summarize and help others, here is how this should be done:

    1- Open PuttyGen and Generate some randomness while PuttyGen creates a key for you.
    2- Enter a long a$$ password with lots of characters, caps, small, and numbers phrase and save private key.
    3- Do NOT SAVE public key. The whole point of this is to not have both keys on the same machine as security maybe compromised. Also, it's unnecessary to save public key.
    4- Once key is generated, in the window on top (on PuttyGen) you will see you public key. Copy and paste that into pfsense System > Advance > Auth key and disable root login and press Save (don't forget SAVE).
    5- Open Pageant (part of the Putty package) and add the private key. It will ask for your pass-phrase so enter it to add the key.
    6- Open a putty session to your server IP and type root and it MUST login.
    7- Enjoy the security and safeguard your key away from your pass-phrase.

    -Bruce


  • Rebel Alliance Developer Netgate

    Sounds good except for…

    @torontob:

    3- Do NOT SAVE public key. The whole point of this is to not have both keys on the same machine as security maybe compromised. Also, it's unnecessary to save public key.

    You want to save the public key. It doesn't harm security, it's the "public" part. You can even put that up somewhere for others to grab so they can add it to their servers and let you in with ssh keys.

    Besides, if you ever need to login to a second box with the same key, you'll need that again. :-)



  • Not trying to be rude but if you don't understand why the public key does not have to be protected or kept separate from the private key (WHICH IT SELF HAS TO BE KEPT SECRET) then please don't write instructions for others. Figure out first how things really work, please.



  • Good to know all that about Public key. Thanks again guys.



  • Besides, puttygen can generate the public key if you give it the private key.

    By the way, I was saying all along that you want to paste the key from that box into your pfSense configuration.  I've used this before, so I know the steps that are involved. ;)



  • Yes, you were right. But I was seeing it as the Public key as I was confused by other posts and specially the openSSH one.

    Thanks



  • The key in the box is the public key in the form that OpenSSH uses on the server end and the export OpenSSH key saves the private key needed for using OpenSSH as the client.


Log in to reply